73 lines
2.6 KiB
Markdown
73 lines
2.6 KiB
Markdown
# Exploitation
|
|
|
|
* **exploit**: code or technique that a threat uses to take advantage of a
|
|
vulnerability
|
|
* why exploitation?
|
|
1. validating vulnerabilities
|
|
2. assess impact
|
|
3. prioritise fixes to vulnerabilities that can exploited
|
|
4. test incident response
|
|
5. exploited machine can work as pivot point
|
|
* risks
|
|
* system downtime
|
|
* system disruption
|
|
* data loss
|
|
* general bad things
|
|
* always verify exploit is allowed by Rules of Engagement
|
|
* most frequent initial access vectors
|
|
1. valid account usage, e.g. obtaining valid credentials
|
|
2. phishing
|
|
3. exploiting remote vulnerabilities
|
|
4. external remote services (e.g. managed filetransfer services)
|
|
|
|
## Categories
|
|
|
|
* **remote exploit**: attack a service listening on the network
|
|
* **client-side exploit**: attack a client application that fetches content
|
|
from a server
|
|
* **local privilege escalation exploit**: attack to gain higher privileges on
|
|
machine attacker is already on
|
|
* often not patched quickly as they're not considere critical
|
|
* various types
|
|
* race conditions
|
|
* kernel exploits
|
|
* local exploit of high-privileged program or service
|
|
* hardware and firmware exploits
|
|
* cryptographic exploits
|
|
|
|
### Client-side exploit
|
|
|
|
* wait for target user to access infected file on attacker-controller server
|
|
* target machine opens connection with attacker
|
|
* doesn't get blocked by firewall
|
|
* requires user interaction to run client program
|
|
* usually requires privilege escalation
|
|
* companies often wait too long to update software -> effective strategy
|
|
* exploit kits
|
|
* sophisticated delivery method for malware
|
|
* can be rented as a SaaS
|
|
* automatically inspects host for vulnerabilities
|
|
* gate servers to only forward vulnerable hosts to infected page
|
|
|
|
#### Pentesting
|
|
|
|
* email campaign
|
|
* send phishing mails to employees and exploit those that click
|
|
* risk of going out of scope (e.g. forwarding the email)
|
|
* better: spear-phishing emails with links or attachments
|
|
* only register how many clicks happened
|
|
* use controller company user that clicks link on purpose to see if
|
|
exploit works
|
|
* combined this is a safer method that provides useful statistics
|
|
* identify software used by company
|
|
1. ask target personnel
|
|
2. analyse metadata from documents
|
|
3. analyse cached DNS records
|
|
4. have target personnel surf to testing systems ([www.gotya.org])
|
|
5. assume very popular software is used (Adobe Reader, Microsoft Office...)
|
|
6. let personnel run software inventory tool
|
|
* important to use representative machine
|
|
* don't use newly patched laptop
|
|
|
|
## Metasploit
|